The Simple Email That Let Russia Hack the DNC

By now, U.S. intelligence agencies have established that Russia did in fact hack both the Democratic National Committee and the Republican National Committee, which ultimately lead to the leaking of information intended to swing the 2016 election in favor of Donald Trump. Now, new reporting from The New York Times has some horrifying details on exactly how Russian hackers were able to break into the systems, and they illustrate some important lessons we could all stand to learn.

According to The New York Times, the Russian cyberinvasion of the DNC's servers took place in two stages, but the second and most severe breach happened in mid-March when Hillary Clinton's campaign chairman John Podesta's private email account was hacked after he clicked on a phishing email, a fake correspondence purportedly from Google but actually from hackers, one designed to trick the recipient into revealing a password.

The Timesgot a look at the same attack as directed at another Clinton campaign official, Billy Rinehart. A full color image, as opposed to plain text as leaked with the rest of John Podesta's emails:

The New York Times

The attack referenced by the email is all but certainly fictitious, whereas the real attack is the big blue button, which does not actually lead to Google's but instead to an attacker's where all information will be intercepted. And as far as phishing emails go, it's pretty good! There are no obvious misspellings or other blatant errors that might expose the ruse.

Never ever change your password using a link from an unsolicited in-bound email.

The full leaked emails from Wikileaks reveal two important details: the address the email came from, and the link the button pointed to. In the case of most phishing attacks, these are the most obvious points where a hacker's illusions slip. Unable to use an actual @google.com email address or official Google website, hackers can only opt for rough approximations. In this case, the email came from "no-reply@accounts.googlemail.com" and the link in the email was obscured by the link-shortening service Bit.ly.

What's worse is that, according to the report, one aide actually singled out the email as suspect, but another confirmed it to be legitimate, in what he now says was actually a typo. PerThe Times:

"This is a legitimate email," Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta's aides, who had noticed the alert. "John needs to change his password immediately."With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an "illegitimate" email, an error that he said has plagued him ever since.

Changing the password is generally not a bad idea when you are worried someone may be attempting to attack your account, but it was the method by which it was done—clicking the big blue button—that was the grave error. If there's one bit of useful, personal advice to come out of this whole mess it is this: Never ever change your password using a link from an unsolicited in-bound email. Instead, go to the website directly to start the process there, and do it on another device if you want to be extra careful.

Chances are there is not an entire presidential election at stake in your case, but it's an important thing for all of us to learn.

A Part of Hearst Digital Media
Popular Mechanics participates in various affiliate marketing programs, which means we may get paid commissions on editorially chosen products purchased through our links to retailer sites.